X

Thoughts on Permissions

Some ideas about Leopard permissions problems and what you can readily do about them.

CNET staff
5 min read

Reports of permissions problems have been ongoing since people started upgrading to Leopard, and even though we just gave some advice on this matter a couple of days ago, we'd like to try to sum up the situation.

Symptoms Permissions have to do with the ability of certain users to make certain kinds of change. Thus, if you can't make a certain change and you think you should be able to, that sounds like a permissions problem. For example, users have complained that changes made in preferences of an application or a preference pane do not "stick"; the next time they log in, the change has reverted to what it was previously. That sounds like a permissions problem: the user isn't able to modify the file into which the preferences settings are written. (A problem like this doesn't reveal itself until you log out and log in again, because initially the change is held in memory and so continues to work. Permissions are about accessing things on disk.) Similarly, the Finder might challenge you in an unusual way when you try to rename or move a file.

Permissions Repair The basic locus of automatic permissions repair is the Repair Permissions button in Disk Utility. Unfortunately, this is not a panacea. For some system-related areas of the computer, and for certain items that were placed on your disk through the Installer, Repair Permissions knows what the permissions should be. But it won't alter the permissions of things inside your home folder, for instance.

A disappointing aspect of Repair Permissions in Leopard is that it does not deal with ACLs (Access Control Lists), a secondary layer of permissions control laid on top of standard Unix permissions, tentatively introduced in Tiger and actually used for the first time in Leopard. Repair Permissions will announce that it is surprised to discover that a certain folder has an unexpected ACL setting, but it won't do anything about it (in other words, it won't repair that kind of permissions).

(ACL settings can be viewed and altered only through the Terminal, using tools like ls and chmod. These tools are not hard to use, but they are unlikely to be every user's cup of tea. Can you say "third-party opportunity"? It probably won't be long before someone releases a nice GUI app that can help users manage ACLs.)

Repair Permissions will also refuse to fix certain other permissions, and will tell you so. The most common example experienced by Leopard users so far is this message: Warning: SUID file "System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent" has been modified and will not be repaired. MacFixIt has been advising readers who write to us with concerns about this, and it has now been confirmed by Apple, that this message is not a problem and may be safely ignored. But the experience raises the question of whether Repair Permissions is as user-friendly as it might be.

Nonetheless, Repair Permissions does repair some permissions. One reader reports that he was getting the problem where Adobe Updater would refuse to run because it wanted administrator rights, and where every change to the Applications folder was requiring a password, even though he was the administrator. That sounds like a permissions problem! Sure enough, using the Finder's Get Info window on the Applications folder revealed that it had a bad Group ("unknown"). But, alas, trying to fix this in the Get Info window just caused the Finder to crash. Repair Permissions did fix the problem, though.

Some users reported initially after installing Leopard that running Permissions Repair takes a very long time. It is probably safe to conclude that this should not be the case. The change in Permissions Repair's interface from Tiger to Leopard, where in Tiger it would show you its progress as it passes over the hard disk, but in Leopard you just see a spinning barber pole that gives no sense of how things are progressing, is disappointing. But on my machine, holding 51GB of data, Repair Permissions takes less than two minutes. If you're finding that even after half an hour the process is going nowhere, something further is wrong.

The Login and Keychain Update If Repair Permissions is taking too long, what can you do about it? Well, remember the Login and Keychain Update 1.0? This update is advertised by Apple as fixing some login and wireless network connection problems, but perhaps the problems that it fixes run deeper, because one user informs us that his troubles with Repair Permissions taking a long time went away after he installed the update. It's hard to say why this would be; the Login and Keychain Update replaces some very basic frameworks and extensions whose function is a little opaque. But if you're having permissions problems and you haven't tried installing this update, you might give it a go.

An odd thing about the Login and Keychain Update is that, on my machine it least, it does not advertise itself through Software Update. Apple states that this update "is recommended for all Leopard installations", but how are users supposed to take advantage of it if they don't know about it? The material in the Login and Keychain Update will undoubtedly be rolled into the 10.5.1 system update that is probably being prepared even as we speak, but that doesn't help users who may be having problems right now.

Drop Back and Punt If all else fails, we'd like to suggest, at some risk of sounding like a broken record (if you're old enough to remember what those are), that you reinstall Leopard, more cleanly this time. If you did a simple Update (the default), this time, don't. If you did an Archive and Install and you checked "Preserve Users", this time, don't. Try an Archive and Install where you don't check "Preserve Users", as discussed in our tutorial on this topic. All your stuff will be saved under Previous Systems, but the system and user you'll be starting with will be absolutely clean, and should have correct permissions. The idea here is to satisfy yourself, before doing anything else, that the computer is now working well. That is a very comforting situation to be in! You can then migrate your stuff gradually from Previous Systems (or fetch it out of your Time Machine backup); this migration sounds like a lot of work, but it needn't take longer than an hour or two. (But what we advise against is doing an automatic migration; this runs the risk of reintroducing whatever was causing the problem in the first place.) We are regularly excoriated by doubters for this recommendation, but offsetting this is the sizable number of users who report to us, privately, that it works.

Resources

  • gave some advice
  • confirmed by Apple
  • Login and Keychain Update ...
  • tutorial
  • More from Late-Breakers